conversion failed when converting date and time from character string

Question

1.00/5 (1 vote)

See more:

I have a form which saves data into sql db. and its working correting
CODE FOR SAVING

C#

public void saveRegister()
        {
            //saves the data in memory

            SqlCommand cmd = new SqlCommand();
            string dat = null;
            dat = regdate.Year + "-" + regdate.Month + "-" + regdate.Day;

            string dat1 = null;
            dat1 = dateofbirth.Year + "-" + dateofbirth.Month + "-" + dateofbirth.Day;

            string sqlQuery = null;
            sqlQuery = "Insert into tblPersonal values('" + dat + "','" + assemblys + "','" + surname + "','" + othername + "','" + gender + "','" + Nationality + "','" + dat1 + "','" + postaladdress + "','" + residentialaddress + "','" + hometownaddress + "','" + telephone + "','" + email + "','" + occupation + "','" + maritalstatus + "','" + nameofspouse + "','" + motherfullname + "','" + motherlivingstatus + "','" + motherhometown + "','" + fatherfullname + "','" + fatherlivingstatus + "','" + fatherhometown + "','" + nokname + "','" + nokresidence + "','" + noktelephone + "','" + images + "')";
            //sqlQuery = "Insert into tblPersonal values('" + membershipid + "','" + dat + "','" + assemblys + "','" + surname + "','" + othername + "','" + gender + "','" + Nationality + "','" + dat1 + "','" + postaladdress + "','" + residentialaddress + "','" + hometownaddress + "','" + telephone + "','" + email + "','" + occupation + "','" + maritalstatus + "','" + nameofspouse + "','" + motherfullname + "','" + motherlivingstatus + "','" + motherhometown + "','" + fatherfullname + "','" + fatherlivingstatus + "','" + fatherhometown + "','" + nokname + "','" + nokresidence + "','" + noktelephone + "','" + images + "')";

            cmd.Connection = conn;
            cmd.CommandText = sqlQuery;
            cmd.CommandType = System.Data.CommandType.Text;
            conn.Open();
            cmd.ExecuteNonQuery();
            cmd.Dispose();
            conn.Close();
        }

I try generating report between two dates and I got the error message 'conversion failed when converting date and time from character string'

CODE FOR THE REPORT

SQL

SqlDataAdapter adp = new SqlDataAdapter("SELECT * from tblPersonal WHERE Regdate BETWEEN '" + this.dtpDate1.Text + "' AND '" + this.dtpDate2.Text + "' ORDER BY Surname", conn);

please help me out

Posted 24-Oct-14 6:56am

mikeoabban

Add a Solution

Comments

Tomas Takac 24-Oct-14 13:01pm

What's the value in this.dtpDate2.Text?

mikeoabban 24-Oct-14 13:06pm

the value of dtpDate1 and dtpDate2 are taking from 2 dateTimePicker

Richard Deeming 24-Oct-14 13:02pm

Your code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Sergey Alexandrovich Kryukov 24-Oct-14 13:06pm

You do everything wrong, starting from first lines.
string dat = null; why null? next line would initialize the string anyway.
Same thing about dat1 (never give such names), sqlQuery.
You makes string by concatenation of DateTime properties, by you should use ToString with appropriate format.
You use string concatenation to compose an SQL statement.
And main thing, you are storing strings in database where you need time.

I looks like you have a typical fallacy, using strings representing data instead of data itself. Without giving up this habit and way of thinking, you cannot even start programming. Also, you need to learn programming in general, some basics, the language, but not only. How variables work, reference vs value objects, and a lot more.

—SA

ZurdoDev 24-Oct-14 13:08pm

It means whatever you are passing as dates is not a date. You need to fix that.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Accepted Answer · 2014-10-24T07:09:00

Change your code to use a parameterized query, fixing the SQL Injection[^] vulnerability. Pass your date parameters as dates, rather than strings.

C#

const string sqlQuery = "Insert into tblPersonal values(@regdate, @assemblys, @surname, @othername, @gender, @Nationality, @DateOfBirth, @postaladdress, @residentialaddress, @hometownaddress, @telephone, @email, @occupation, @maritalstatus, @nameofspouse, @motherfullname, @motherlivingstatus, @motherhometown, @fatherfullname, @fatherlivingstatus, @fatherhometown, @nokname, @nokresidence, @noktelephone, @images)";

using (SqlCommand cmd = new SqlCommand(sqlQuery, con))
{
    cmd.CommandType = System.Data.CommandType.Text;

    cmd.Parameters.AddWithValue("@regdate", regdate);
    cmd.Parameters.AddWithValue("@assemblys", assemblys);
    cmd.Parameters.AddWithValue("@surname", surname);
    cmd.Parameters.AddWithValue("@othername", othername);
    cmd.Parameters.AddWithValue("@gender", gender);
    cmd.Parameters.AddWithValue("@Nationality", Nationality);
    cmd.Parameters.AddWithValue("@DateOfBirth", dateofbirth);
    cmd.Parameters.AddWithValue("@postaladdress", postaladdress);
    cmd.Parameters.AddWithValue("@residentialaddress", residentialaddress);
    cmd.Parameters.AddWithValue("@hometownaddress", hometownaddress);
    cmd.Parameters.AddWithValue("@telephone", telephone);
    cmd.Parameters.AddWithValue("@email", email);
    cmd.Parameters.AddWithValue("@occupation", occupation);
    cmd.Parameters.AddWithValue("@maritalstatus", maritalstatus);
    cmd.Parameters.AddWithValue("@nameofspouse", nameofspouse);
    cmd.Parameters.AddWithValue("@motherfullname", motherfullname);
    cmd.Parameters.AddWithValue("@motherlivingstatus", motherlivingstatus);
    cmd.Parameters.AddWithValue("@motherhometown", motherhometown);
    cmd.Parameters.AddWithValue("@fatherfullname", fatherfullname);
    cmd.Parameters.AddWithValue("@fatherlivingstatus", fatherlivingstatus);
    cmd.Parameters.AddWithValue("@fatherhometown", fatherhometown);
    cmd.Parameters.AddWithValue("@nokname", nokname);
    cmd.Parameters.AddWithValue("@nokresidence", nokresidence);
    cmd.Parameters.AddWithValue("@noktelephone", noktelephone);
    cmd.Parameters.AddWithValue("@images", images);

    conn.Open();
    try
    {
        cmd.ExecuteNonQuery();
    }
    finally
    {
        conn.Close();
    }
}

Also, fix the SQL Injection vulnerability for the report:

C#

SqlDataAdapter adp = new SqlDataAdapter("SELECT * from tblPersonal WHERE Regdate BETWEEN @StartDate AND @EndDate ORDER BY Surname", conn);
adp.SelectCommand.Parameters.AddWithValue("@StartDate", this.dtpDate1.Value);
adp.SelectCommand.Parameters.AddWithValue("@EndDate", this.dtpDate2.Value);